Cisco 640-553
640-553 IINS Implementing Cisco IOS Network
Security
Practice Test
Version 14.25
http://certkill.com
QUESTION NO: 1
Which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to
host 192.168.1.10?
A. access-list 101 permit tcp any eq 3030
B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www
C. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www
D. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030
E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80
Answer: B
QUESTION NO: 2 DRAG DROP
Drag three proper statements about the IPsec protocol on the above to the list on the below.
Answer:
Cisco 640-553: Practice Exam
2
http://certkill.com
QUESTION NO: 3
In a brute-force attack, what percentage of the keyspace must an attacker generally search
through until he or she finds the key that decrypts the data?
A. Roughly 50 percent
B. Roughly 66 percent
C. Roughly 75 percent
D. Roughly 10 percent
Answer: A
QUESTION NO: 4
The information of Cisco Router and Security Device Manager(SDM) is shown below:
Cisco 640-553: Practice Exam
3
http://certkill.com
Cisco 640-553: Practice Exam
4
http://certkill.com
Cisco 640-553: Practice Exam
5
http://certkill.com
Cisco 640-553: Practice Exam
6
http://certkill.com
Within the "sdm-permit" policy map, what is the action assigned to the traffic class "class-default"?
A. inspect
B. pass
C. drop
D. police
E. log
Cisco 640-553: Practice Exam
7
http://certkill.com
Answer: C
QUESTION NO: 5 DRAG DROP
On the basis of the description of SSL-based VPN, place the correct descriptions in the proper
locations.
Answer:
Cisco 640-553: Practice Exam
8
http://certkill.com
QUESTION NO: 6
Refer to the exhibit and partial configuration. Which statement is true?
Cisco 640-553: Practice Exam
9
http://certkill.com
A. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.
B. All traffic from network 10.0.0.0 will be permitted.
C. Access-list 101 will prevent address spoofing from interface E0.
D. This is a misconfigured ACL resulting in traffic not being allowed into the router in interface S0.
E. This ACL will prevent any host on the Internet from spoofing the inside network address as the
source address for packets coming into the router from the Internet.
Answer: C
QUESTION NO: 7
Which of these can be used to authenticate the IPsec peers during IKE Phase 1?
A. Diffie-Hellman Nonce
B. pre-shared key
C. XAUTH
D. integrity check value
E. ACS
F. AH
Answer: B
Explanation:
Internet Key Exchange (IKE) executes the following phases:
+ IKE Phase 1: Two IPsec peers perform the initial negotiation of SAs. Phase 1 generates an
Internet Security Association and Key Management Protocol (ISAKMP) SA, used for management
traffic. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate
the communicating parties. Phase 1 operates in either Main Mode or Aggressive Mode. Main
Mode protects the identity of the peers, Aggressive Mode does not.
+ IKE Phase 2: SAs are negotiated by the IKE process ISAKMP on behalf of other services, such
as IPsec, that need encryption key material for operation. IKE Phase 2 is used to build IPsec SAs,
which are for passing end-user data. Additional service negotiations occur in IKE Phase 1, DPD,
Mode Config, and so on
QUESTION NO: 8
Which description about asymmetric encryption algorithms is correct?
A. They use the same key for encryption and decryption of data.
B. They use different keys for decryption but the same key for encryption of data.
C. They use different keys for encryption and decryption of data.
Cisco 640-553: Practice Exam
10
http://certkill.com